autoregistration fails when server has a non-trusted cert

Bug #948564 reported by David Britton on 2012-03-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Landscape Client
High
Chad Smith

Bug Description

2012-03-06 22:52:04,510 ERROR [PoolThread-twisted.internet.reactor-1] Error contacting the ser
ver at https://landscape.local/message-system.
Traceback (most recent call last):
  File "/usr/lib/python2.6/dist-packages/landscape/broker/transport.py", line 70, in exchange
    curly, data = self._curl(spayload, computer_id, message_api)
  File "/usr/lib/python2.6/dist-packages/landscape/broker/transport.py", line 47, in _curl
    headers=headers, cainfo=self._pubkey, curl=curl))
  File "/usr/lib/python2.6/dist-packages/landscape/lib/fetch.py", line 92, in fetch
    raise PyCurlError(e.args[0], e.args[1])
PyCurlError: Error 60: server certificate verification failed. CAfile: /etc/ssl/certs/ca-certific
ates.crt CRLfile: none

root@ubuntu:~# wget -q -O - --no-check-certificate http://landscape.local/get-ca-cert
{"custom_ca_cert": "base64: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNQRENDQWFXZ0F3SUJBZ0lKQU1NNnpNU0d1\n Yk5wTUEwR0NTcUdTSWIzRFFFQkJRVUFNRFF4TWpBd0JnTlYKQkFNVEtXVmpNaTB4TURjdE1qRXRN\n VFUxTFRjekxtTnZiWEIxZEdVdE1TNWhiV0Y2YjI1aGQzTXVZMjl0TUI0WApEVEV5TURNd05qSXhO\n VEV4TUZvWERUSXlNRE13TkRJeE5URXhNRm93TkRFeU1EQUdBMVVFQXhNcFpXTXlMVEV3Ck55MHlN\n UzB4TlRVdE56TXVZMjl0Y0hWMFpTMHhMbUZ0WVhwdmJtRjNjeTVqYjIwd2daOHdEUVlKS29aSWh2\n Y04KQVFFQkJRQURnWTBBTUlHSkFvR0JBTlpnSTc1QUdEcEtoWDFGTEJnWG1mamk4Mml3eEJyZDc0\n bjF3aGVRYTRlMgpLUDI4Z3hKWjF6M29sUGJPYnJ4M2o4dFMvSmFPTTJsUTQ5akR4Smk0MlAzc290\n WmdVNElNdUZnMWlaVGJhMU4xCitHUGh5MmRHa0xLU25FUjI2ckxTeGtGcDM4ajIyMW1ldlpEY2xN\n SVZINnZEbzIvVGFreGI3TVUyQ2IzUldoZGYKQWdNQkFBR2pWakJVTUZJR0ExVWRFUVJMTUVtQ0RU\n RXdOeTR5TVM0eE5UVXVOek9DRFRFd0xqRXhNaTQyT1M0eApOREdDS1dWak1pMHhNRGN0TWpFdE1U\n VTFMVGN6TG1OdmJYQjFkR1V0TVM1aGJXRjZiMjVoZDNNdVkyOXRNQTBHCkNTcUdTSWIzRFFFQkJR\n VUFBNEdCQU1yQ1FjcGhYbThKRVV1ajhxay93eUdkYmVhTCtNZXdZQUQ1UitQTkdEV00KN0s5UmFC\n Y0U0dUl2UE8wUGsyNkRHRDBaSWJYditxRGM3emlJL2ZPTXdsY0VlVmM2d1owODdvS3hyTW5mN1Mz\n TgphaXhiZzZIWk9abEY4ZFA0M0VDVlFXZG85dDB1TWZiS3FVcUlhenR2cFRzVlBKZytIdUVXbWk4\n NTJzYmY4d3E2Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"}root@ubuntu:~#

Notice when retrieving the custom ca cert from the server it's not trusted (I think that is the point of retrieving it). But, I'm getting redirected through an https (rewrite rule, I'm guessing):

root@ubuntu:~# wget http://landscape.local/get-ca-cert
--2012-03-06 23:26:38-- http://landscape.local/get-ca-cert
Resolving landscape.local... 107.21.155.73
Connecting to landscape.local|107.21.155.73|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://ec2-107-21-155-73.compute-1.amazonaws.com:443/get-ca-cert [following]
--2012-03-06 23:26:38-- https://ec2-107-21-155-73.compute-1.amazonaws.com/get-ca-cert
Resolving ec2-107-21-155-73.compute-1.amazonaws.com... 107.21.155.73
Connecting to ec2-107-21-155-73.compute-1.amazonaws.com|107.21.155.73|:443... connected.
ERROR: cannot verify ec2-107-21-155-73.compute-1.amazonaws.com's certificate, issued by `/CN=ec2-107-21-155-73.compute-1.amazonaws.com':
  Self-signed certificate encountered.
To connect to ec2-107-21-155-73.compute-1.amazonaws.com insecurely, use `--no-check-certificate'.

Looking at the code in that stack trace, there is no special accomodation to retrieve this certificate while ignore certificate validation.

I guess either the rewrite rule needs to be modified, or the pycurl attempt needs to have an option set.

Related branches

Chad Smith (chad.smith) on 2012-03-06
Changed in landscape-client:
status: New → In Progress
assignee: nobody → Chad Smith (chad.smith)
Chad Smith (chad.smith) wrote :

Thanks DPB for quick triage and assessment of the fix. here. Per our IRC discussions, looks like we need to ensure pycurl will ignore invalid CA certs during the cert pull otherwise we get redirected to https:// and everything falls apart.

Chad Smith (chad.smith) on 2012-03-07
Changed in landscape-client:
status: In Progress → Fix Committed
Changed in landscape-client:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers